Re: Support for NSS as a libpq TLS backend

Joshua Brindle <joshua.brindle@crunchydata.com>

From: Joshua Brindle <joshua.brindle@crunchydata.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Kevin Burke <kevin@burke.dev>, Jacob Champion <pchampion@vmware.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>, "hlinnaka@iki.fi" <hlinnaka@iki.fi>, "andrew.dunstan@2ndquadrant.com" <andrew.dunstan@2ndquadrant.com>, "sfrost@snowman.net" <sfrost@snowman.net>, "rachelmheaton@gmail.com" <rachelmheaton@gmail.com>, "thomas.munro@gmail.com" <thomas.munro@gmail.com>, "michael@paquier.xyz" <michael@paquier.xyz>, "andres@anarazel.de" <andres@anarazel.de>
Date: 2021-11-25T13:39:29Z
Lists: pgsql-hackers

Attachments

On Wed, Nov 24, 2021 at 8:49 AM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
>
> On Wed, Nov 24, 2021 at 8:46 AM Joshua Brindle
> <joshua.brindle@crunchydata.com> wrote:
> >
> > On Wed, Nov 24, 2021 at 6:59 AM Daniel Gustafsson <daniel@yesql.se> wrote:
> > >
> > > > On 23 Nov 2021, at 23:39, Joshua Brindle <joshua.brindle@crunchydata.com> wrote:
> > >
> > > > It no longer happens with v49, since it was a null deref of the pr_fd
> > > > which no longer happens.
> > > >
> > > > I'll continue testing now, so far it's looking better.
> > >
> > > Great, thanks for confirming.  I'm still keen on knowing how you triggered the
> > > segfault so I can ensure there are no further bugs around there.
> > >
> >
> > It happened when I ran psql with hostssl on the server but before I'd
> > initialized my client certificate store.
>
> I don't know enough about NSS to know if this is problematic or not
> but if I try verify-full without having the root CA in the certificate
> store I get:
>
> $ /usr/pgsql-15/bin/psql "host=localhost sslmode=verify-full user=postgres"
> psql: error: SSL error: Issuer certificate is invalid.
> unable to shut down NSS context: NSS could not shutdown. Objects are
> still in use.

Something is strange with ssl downgrading and a bad ssldatabase
[postgres@11cdfa30f763 ~]$ /usr/pgsql-15/bin/psql "ssldatabase=oops
sslcert=client_cert host=localhost"
Password for user postgres:

<freezes here>

On the server side:
2021-11-25 01:52:01.984 UTC [269] LOG:  unable to handshake:
Encountered end of file (PR_END_OF_FILE_ERROR)

Other than that and I still haven't tested --with-llvm I've gotten
everything working, including with an openssl client. Attached is a
dockerfile that gets to the point where a client can connect with
clientcert=verify-full. I've removed some of the old cruft and
debugging from the previous versions.

Thank you.

Commits

  1. Add tab-completion for CREATE FOREIGN TABLE.

  2. Add tap tests for the schema publications.

  3. Move Perl test modules to a better namespace

  4. Adjust configure to insist on Perl version >= 5.8.3.

  5. Simplify code related to compilation of SSL and OpenSSL

  6. Introduce --with-ssl={openssl} as a configure option

  7. Implement support for bulk inserts in postgres_fdw

  8. Fix redundant error messages in client tools

  9. doc: Apply more consistently <productname> markup for OpenSSL

  10. Check ssl_in_use flag when reporting statistics